Certificateless broadcast signcryption scheme supporting equality test in smart grid

With the development of cloud computing and the application of Internet of Things (IoT) in the smart grid, a massive amount of sensitive data is produced by the terminal equipment. This vast amount of data is subject to various attacks during transmission, from which users must be protected. However, most of the existing schemes require a large amount of network bandwidth resources and cannot ensure the receiver’s anonymity. To solve these shortcomings, we construct a broadcast signcryption scheme supporting equality test based on certificateless cryptosystem. The scheme employs a symmetric encryption algorithm to improve encryption and transmission efficiency; The Lagrange interpolation theorem is used to encrypt the user’s identity to ensure the privacy preservation of terminal devices; And a trusted third party is used to eliminate duplicated ciphertext for identical messages using an equality test, resulting in efficient network bandwidth utilization. Experimental analysis shows that our work has greater advantages in the field of practical broadcast services.


Introduction
The use of intelligent Internet of Things (IoT) devices brings great convenience to data communication.Wireless sensor network has been widely applied in the smart grid.Considering wireless sensor networks transmit information over public channels, and that power data and sensitive information may be distorted in the transmission process, there are security risks associated with the smart grid.Many fields of study use it in conjunction with cryptography algorithms to guarantee the security of sensitive information.Amos Fiat and Moni Naor [1] first proposed broadcast encryption, which is suitable for one-to-many communication where the broadcaster transmits the encrypted data to an authorized receiver.Each receiver can obtain ciphertext and decrypt messages with their private key.Compared with the traditional one-to-one encryption model, broadcast encryption can reduce the computation and communication overhead.Therefore, it has significant application and value in IoT scenarios [2][3][4].Unfortunately, they are unable to guarantee the privacy of users or the transmission of sensitive information.As the information collected by IoT equipment is sensitive, users expect a guarantee of the security of data transmission and communication.A certificateless cryptosystem is proposed to deal with the key escrow problem.It can realize efficient and secure transmission of broadcast ciphertext [5][6][7][8].Considering the same broadcast ciphertext may be generated by different encryption methods, it will occupy bandwidth resources on resourcelimited devices, limit the applicability of the application environment, and cause great inconvenience and waste of space.The ciphertext equality test [9][10][11] can match ciphertexts on broadcasters and cloud servers, so as to realize the de-duplication of redundant copies and save bandwidth resources.
Currently, there exist malicious attackers in the smart grid, causing the smart grid to face some security threats, such as user forging smart meter data, unauthorized user access to sensitive information leading to privacy leakage, and malicious attacker stealing data when wireless sensor networks transmit information over public channels.Thus, the scheme demands the intelligent power supply system encrypt data and send ciphertext to users in the form of broadcasting, so as to transmit users' power information efficiently and securely.Broadcast signcryption achieves data sharing between broadcast servers and authorized receivers.Unfortunately, many existing broadcast signcryption schemes have some shortcomings.They are unable to realize the private preservation of receiver identities and need a lot of bandwidth resources.
Based on the current security threat in smart grid and the shortcomings of existing schemes, we propose a broadcast signcryption scheme that supports equality test based on certificateless cryptosystem.First, the scheme solves the key escrow problem in identity-based cryptosystem by using certificateless cryptosystem and ensures the receiver's anonymity by using the Lagrange interpolation theorem.Second, our proposed scheme can be proven secure under the Random Oracle Model.In addition, the proposed scheme realizes the function of data de-duplication by using equality test and lightweight broadcast signcryption by reducing computation cost.

Motivation and contributions
To realize the private preservation of smart meter's identities and the confidentiality of sensitive information, while also saving bandwidth resources, we propose a broadcast signcryption scheme supporting equality test based on certificateless cryptosystem.The main contributions of our work as follows: • The scheme ensures the privacy of the user's identity.Not only are illegal receivers unable to obtain the sender's identity but the receiver also do not know the other receiver's identity.
• The proposed scheme uses equality test to realize the function of data de-duplication.To achieve efficient utilization of network bandwidth, the duplicate ciphertext of the information generated by different encryption methods is de-duplicated by a trusted third party.
• We realize lightweight broadcast signcryption by reducing the bilinear pairing operation with a high computation cost in unsigncryption.The experimental analysis showed that the computing efficiency was higher than existing schemes, and had greater advantages in practical applications.

Organization
The organization of this paper as follows.We survey the related works in Section 2. In Section 3, we briefly describe the background.Our scheme and correctness are present in Section 4. Security proof is given in Section 5.In Section 6, we present the performance evaluation.Finally, we conclude the work in Section 7.

Related works
Duan et al. [12] first construct the broadcast signcryption scheme in combination with the signcryption algorithm and the broadcast transmission.Unfortunately, the scheme does not meet the security requirements of adaptive chosen-ciphertext attack.Based on the problem of one-to-one single transmission in the traditional signcryption scheme, broadcast signcryption solves the shortcomings of communication efficiency in information transmission.Since the invention of broadcast signcryption, many academics and practitioners have propose the scheme to meet various security performance requirements [13,14].Zhang et al. [13] construct a signcryption scheme that resists quantum attacks based on lattice and identity cryptosystem.[14,15] designed the efficient signcryption algorithm that allowed the sender to transmit multi-messages to multi-receivers and analyzed the efficiency of each scheme.Qiu et al. [15] design a broadcast scheme based on certificateless cryptosystem and applied it to the IoT, lowering the computation cost of the receiver by outsourcing the gateway signature verification operation.However, there is the problem of key escrow.Peng et al. [16] connected the edge node with the IoT device.Edge computing can reduce the computation burden of terminal devices and the delay of network transmission.However, the ciphertext of this scheme hasn't the authorization set of the receiver.Due to the risk of location privacy leakage in the charging process of electric vehicles.Kumar et al. [17] design an electric vehicle charging framework combined with grid encryption technology.Alagarsamy et al. [18] propose an Exponentiated Multilinear Vectorized Certificateless Signcryption (EMV-CLSC) scheme, which reduces memory usage when processing multiple data and improves computation efficiency.[19][20][21] propose lightweight and efficient access control signcryption schemes based on the certificateless cryptosystem.Ullah et al. [20] propose an anonymous certificateless signcryption scheme using elliptic curves to guarantee security requirements in Internet of Vehicles, but this scheme only signcrypt single message and is not suitable for the multi-message environments.Sarvesh et al. [22] present a multi-signcryption scheme with public verifiability to reduce the threats of private key escrow and replay attacks.Unfortunately, These schemes fail to consider the processing of redundant data generated by different encryption methods for the same information.Luo et al. [23] propose the signcryption scheme for data communication between different network domains, but can't ensure the privacy of receivers.Khan et al. [24] set a smaller key unit based-identity signcryption, which is not applicable to equipment with limited resources, and there is the risk of the receiver's privacy leaking.Mandal et al. [25] design a user access control scheme that fails to achieve the receiver's privacy preservation.Shen et al. [26] propose a lightweight and secure data transmission protocol for wireless body area networks, which support the multidisciplinary treatment but exist a risk of leakage of the partial private key.Aiming at addressing the shortcomings and improving the efficiency of existing schemes, we propose a broadcast signcryption scheme that supports equality test based on certificateless cryptosystem.Our proposed work ensures the receiver's anonymity and information integrity and confidentiality, while also the proposed scheme realizes the function of data de-duplication by using equality test and lightweight broadcast signcryption by reducing computation cost.

Hard problems
We give several hard problems to demonstrate the security of our work.

System model
The smart power grid relies on intelligent technology, such as wireless sensors, to realize information collection and data transmission.As can be seen from Fig 1, detailed information is collected through sensor equipment.It is assumed that the application field deploys wireless sensor network nodes in multiple power jurisdictions and monitoring areas.The wireless sensor network nodes collect power data and other data in real-time and upload them to the aggregation base station.Considering wireless sensor networks transmit information over public channels, and that power data and sensitive information may be distorted in the transmission process, there are security risks associated with the smart grid.Many fields of study use it in conjunction with cryptography algorithms to guarantee the security of sensitive information.
As is shown in Fig 2, our proposed system model includes five entities: Intelligent power supply system, Trusted Third Party (TTP), Key Generation Center (KGC), Smart meter and Cloud Server (CS).After the KGC generates public and private key for the intelligent power supply system and the smart meter, the intelligent power supply system will signcrypt the collected information such as the meter operation status and smart meter data, and then sends ciphertext to CS and TTP for ciphertext equality test.TTP deletes the duplicate ciphertext of the information generated by different encryption methods.When the CS broadcasts ciphertext to smart meter, the authorized device can unsigncrypt ciphertext using private key independently.

KGC.
Assuming KGC is a fully trusted entity, the device set and the intelligent power supply system send a registration request before the broadcaster broadcasts the message.After receiving the request, the KGC generates public and private key for the smart meter and intelligent power supply system to ensure the device's legality.
Intelligent power supply system.After receiving the information gathered by wireless sensor network monitoring equipment, it selects a group of equipment to collect messages, encrypt message and upload it in the monitoring area, and then sends signature to the TTP for ciphertext equality test.
TTP.In order to rid the ciphertext of duplicated data, the TTP checks whether the received ciphertext has a copy of the same information generated by different encryption methods on the CS.
Smart meter.The smart meter submits registration request for legal identities to the key generation center.When the CS broadcasts ciphertext to smart meter, the authorized device can send verification information to a trusted third party for ciphertext matching.After obtaining the correct response, the ciphertext can be decrypted independently.
CS.The trusted third party can be operated by the CS to match the duplicate data of the ciphertext generated and transmitted throughout the entire broadcast process.Although ciphertext is stored on the CS, it can't get any information about ciphertext from the broadcaster.

Formal definition
For the signcryption scheme supporting equality test in smart grid, we give the detailed definition as follows for algorithm: Setup (1 λ ): Inputs security parameter λ, KGC returning public parameter Pars, TTP's private key x T and the master key s.
Set secret-value (ID i ): It takes Pars and the receiver's identity ID i as input and returns x i as the receiver's secret value.Extract partial-private key (s, X i , ID i ): The inputs are the ID i of the receiver, the master key s, the public key of the receiver X i and the public parameters Pars, and it returns the partial private key z i .
Set private and public key (ID i , z i , W i , Pars): Inputs the ID i of the receiver, the partial private key z i and Pars, and returns the private key of receiver (d i , y i ) and the public key of receiver (X i , Y i ).
Signcryption (Pars, ID i , X i , M): The inputs are the public parameters Pars, a set {ID i , X i } i=1,2,� � �,n and the message M. The outputs are ciphertext σ.
Unsigncryption (y i , σ, ID): The inputs are the public parameter Pars, a private key of the smart meter y i , a set {ID i } i=1,2,� � �,n of the receiver's identity, ciphertext σ, outputs recovered message and verify the message using the broadcaster's public key.
Equality-test (CT, CT 0 ): TTP executes this algorithm.The inputs are the public parameter Pars, the private key x T and two ciphertexts CT and CT 0 .The output is 1 if CT and CT 0 are same message generated by different encryption methods, otherwise, returns 0.

Security model
In order to ensure broadcasting safety, the proposed work must satisfy the security of message, define indistinguishability of chosen multiple identities and chosen ciphertext attack security (IND-CMID-CCA) by polynomial time simulating the game between adversary and challenger, ensure strong unforgeability of chosen multiple identities and ciphertext attack security (SUF-CMID-CCA) and ensure anonymity of chosen multiple identities and ciphertext attack security (ANON-CMID-CCA).

The proposed scheme
We construct a certificateless broadcast signcryption scheme that supports equality test.In the scheme, the broadcaster can signcrypt message for many different receivers, and receiver belonging to the authorization group can unsigncrypt ciphertext to obtain plaintext.Table 1 presents the notions in our proposed scheme.The scheme includes five algorithms: Setup: Inputs security parameter λ and returns bilinear pairing e : G 1 × G 2 !G T , where G 1 = hP 1 i, G 2 = hP 2 i and they have same the prime order p. Define six hash functions as:

Signcryption:
The public parameters Pars, message M, receiver's identity ID i , sender's private key SK s = (d s , y s ), public key PK s = (X s , Y s ) and the public key PK T of TTP are taken as inputs and then performs as follows: • The final broadcast ciphertext is σ = (CT, u, R).

Unsigncryption:
The broadcast ciphertext σ, receiver's public key (X i , Y i ) and receiver's identity ID i are taken as inputs to perform the following steps: Return true if it holds, otherwise, return ?; , otherwise, outputs ?.

Equality-test:
, returns 1 if it holds and ?otherwise.
Correctness: The correctness of our proposed work as follows: 1.

Security proof
We proof the security of our work under the hard problem and security model in Section 4. Theorem 1.If the BDH problem in (G 1 , G 2 ) is hard, our work is secure against the IND-CMID-CCA of the A I .
Proof: Simulator B is created to solve the hard problems of BDH in (G 1 , G 2 ).Inputs (P 1 , H query: After receiving the query from the adversary on the target identity {ID i } i=1,2,� � �,n , B creates (ID i , W i , ψ i , θ i ) in the list H and initializes it to null.If the identity exists in the tuple, returns W i .Otherwise, randomly selects a bit ψ i 2 {0, 1} and an integer θ i 2 Z p .If

Secret-value query: After receiving the request from
Extract Partial-private key query: Inputs ID i , B executes as follows: • If ID i = ID j , B sends ? to A I ; • If ID i 6 ¼ ID j , and if (ID i , SK i , PK i , w i , x i , z i ) exists in the list H i , B sends partial-private key z i to A I , otherwise, runs key query and returns tuple (ID i , SK i , PK i , x i , z i ) and sends partial-private key z i to A I .
Private query: After receiving the request from A I , B sends public key PK i to A I if (ID i , SK i , PK i , x i , z i ) exists in list H i , otherwise, B runs key query, return (ID i , SK i , PK i , x i , z i ) and sends public key PK i to A I and responds as follows:

Unsigncryption query:
The adversary requires B to run unsigncryption query on ciphertext CT and identity ID i .After receiving the request, if ID i = ID j , i = 1, 2, � � �, n, B sends ? to A I , otherwise, B responds as follows: • Inputs the broadcaster identity ID s , authorized device identity ID i and ciphertext CT, and then computes W = r 1 � P 1 ; • Computes K 0 = H 4 (C 2 /e(W, C 1 )); from the list H 4 , uses the symmetric key K 0 and returns it to If so, the execution is completed.If i does not exceed the number of H 4 queries, B returns M to A I , otherwise, outputs ?; Challenge: A I selects two equal-length M 0 , M 1 and challenger identity and public key set S* = (ID 1 /X 1 , � � �, ID l /X l ).In phase 1, A I cannot uses the identity ID i 2 S* to runs the private key query.If ψ i = 1 at the tuple (ID i , W i , ψ i , θ i ) in list H 1 , B responds as follows: A I runs a series of adaptive queries consistent with those in phase 1, but challenge ciphertext CT* cannot be decrypted.If ID i 2 S*, extract partial-private key query is not allowed.
Theorem 2. If the DDH problem in G 1 is hard, our proposed scheme is secure against the IND-CMID-CCA of A II .
Proof: Simulator B is created to solve the hard problems of DDH in G 1 , Let P 1 , aP 1 , bP 1 , W 2 G 1 , where a; b 2 Z * p are unknown, judge whether W = abP 1 .B and A II to simulates the security game.
Setup: sets system public key PK pub = αP 1 and PK T = βP 1 , and then sends system parameter Phase 1: A II adaptively issue a series of queries.
H query: After receiving the query from the adversary on the target identity {ID i } i=1,2,� � �,n , B creates (ID i , W i ) in the list H and initializes it to null.If the identity exists in the tuple, returns W i .Otherwise, randomly selects an integer θ i 2 Z p , computes W i = θ i � P 1 and adds (ID i , W i , ψ i ) to the list H 1 .Finally, B returns W i to A II .
H Public key query: After receiving the query from the adversary on the target identity {ID i } i=1,2,� � �,n , if the (ID i , W i , x i ) has existed in the list H and initializes it to null.If the identity exists in the tuple, returns W i .Otherwise, randomly selects a bit ψ i 2 {0, 1} and an integer a i 2 Z p .If ψ i = 0, computes X i = a i � P 1 , otherwise, sets X i = a i � bP 1 and adds (ID i , a i , X i , ψ i ) to the list H. Finally, B returns X i to A II .
Unsigncryption query: It is similar to the Unsigncryption query in Theorem 1.
Challenge: It is similar to the Challenge in Theorem 1. Phase 2: A II runs a series of adaptive queries consistent with those in phase 1, but challenge ciphertext CT* cannot be decrypted.b) .This means that r 1 = a, τ = b in the signcryption.

Functional comparison
We evaluate the functions of the proposed work with those of five existing broadcast signcryption schemes [15,[22][23][24][25]. From Table 2, scheme [15] outsource verification operation to gateway, which reduces the computation cost of the receiver at decryption stage.However, there is the problem of key escrow.Scheme [22] presents a multi-signcryption scheme with public verifiability to reduce the threats of private key escrow and replay attack but can't eliminate duplicate copies in the system.The scheme [23] propose the certificateless broadcast signcryption scheme, but can't ensure the privacy of the receiver.Scheme [24] set a smaller key unit basedidentity signcryption, which is not applicable to equipment with limited resources, and there is the risk of the receiver's privacy leaking.The scheme [25] design a user access control scheme which fails to achieve receiver's privacy preservation and the computation cost of unsigncryption is higher than the proposed work.

Efficiency analysis
We compare the computation times of our work with those of the existing schemes [15,22] as shown in Table 3.The communication cost between our work and other schemes is shown in Table 4. 1) Computation cost.We compare the computation times of our work and existing schemes [15,22] is shown in Table 3. T e , T m , T p , T h , T Inv represents the time of executing exponential, multiplication, bilinear pairing, hash, and multiplication inversion operation, respectively.The operation time sequence is T p > T e > T m > T h > T Inv .n represents the number of users.The computation cost increases as n grows.
2) Communication cost.We compare the communication costs of the proposed work with those of schemes [15,22] in shown Table 4.We set jZ * p j=16 bytes and |G|=32 bytes.n represents the number of users.The ciphertext size are njZ * p j þ jZ * p j þ jGj, njGj þ jZ * p j, njZ * p j þ jGj þ 4jZ * p j in [15,22] and our scheme, respectively.The communication cost grows linearly with n from Table 4.

Experimental analysis
The experiment is using bilinear pairing-based cryptography library under the Linux operating system.The parameter type of bilinear pairing package is Type-A.It uses the C programming language and is programmed and executed on 2.60 GHz CPU and 8 GB RAM PC.We compare the computation time of [15,22] and our proposed scheme of signcryption and unsigncryption algorithms, and set the number of devices from the smart grid at 10, 20, 30, 40, 50, 60, 70 and 80, respectively.The number of devices on the smart grid can dynamically adjusted to manage authorized devices more flexibly.
As is shown in Fig 3 .that the computation time of our work in data signcryption stage is lower than scheme [22].Although computation efficiency of scheme [15] is higher than our scheme, the proposed work has higher security and practical application value.It is also that the computation efficiency of our work in the data unsigncryption stage is higher than existing schemes [15,22].When the number of devices is 20, the computation time of our scheme is 46.565ms, [15,22] are 122.278msand 242.153ms respectively.Fig 5. show that the communication costs of our work are lower than [22].The computation of unsigncryption and communication cost of [22] is highly than our proposed scheme.The core reason is equality test cannot be performed.Although communication costs of [15] is higher than our scheme, our proposed work has higher security and can better guarantee the privacy of users.

Conclusion
Currently, there exist malicious attackers in the smart grid, causing the smart grid to face some security threats, such as user forging smart meter data, unauthorized user access to sensitive information leading to privacy leakage, and so on.To realize the private preservation of smart meter's identities and the confidentiality of sensitive information, guarantee the security of data communication and solve the problem of insufficient transmission network bandwidth resources, we construct a broadcast signcryption scheme supporting equality test based on certificateless cryptosystem.The scheme realizes the anonymity between receivers and ensures the privacy of data.In addition, our work also achieves data deletion function of the same ciphertext, which greatly saves the network bandwidth and ciphertext storage space.Finally, an analysis of the existing broadcast signcryption schemes and our proposed scheme reveals that our proposed work has higher practical application value.

Game 1 : 1 :
IND-CMID-CCA security This game is played between adversary A and challenger C under the IND-CMID-CCA security model.The security model is defined as follows: Setup: C takes the security parameter λ as input and returns the public parameters Pars and the master key s, C sends the public parameter Pars to A and keeps s.Then, A selects a random identity from set {ID i } i=1,2,� � �,n .Phase 1: A runs an adaptive prediction query, and C responds to the query.Challenge: A sends two equal-length plaintext M 0 and M 1 to C. C randomly selects a bit b 2 {0, 1} to obtain ciphertext σ* and returns it to A. Phase 2: A executes a series of inquiries as in Phase 1, but not allowed to perform extract partial-private key and unsigncryption queries if the user who replaced public key.Guess: A guess bit b* 2 {0, 1} is generated by A. A wins the game if b* = b.Definition Our work satisfies the indistinguishability of chosen multiple identities and the chosen ciphertext attack security (IND-CMID-CCA) if there are no adversaries having a non-negligible advantage to win Game 1.Game 2: SUF-CMID-CCA securityThe adversary A interacts with the challenger C under the SUF-CMID-CCA security model.We defined the security model as follows:Setup: It is similar to the setup in Game 1.Attack: It is similar to the attack in phase 1 of Game 1. Forgery: A uses target user set {ID i } i=1,2,� � �,n and plaintext to forge signatures σ*.If any user in the target user set {ID i } i=1,2,� � �,n unsigncrypt ciphertext σ* correctly, A wins game.In this process, the ciphertext cannot be obtained by a series of inquiry, and all restrictions are consistent with those in phase 2 of Game 1.

Definition 2 : 1 : 2 : 3 .
Our proposed work can resist the strong unforgeability of chosen multiple identities and ciphertext attack (SUF-CMID-CCA) if there are no adversaries having a nonnegligible advantage to win Game 2. Game 3: ANON-CMID-CCA security The adversary interacts with the challenger under the ANON-CMID-CCA security model.We defined the security model as follows: Setup: C taking λ as input, and returning Pars and s as output, sends Pars to A and keeps s.Then, A randomly selects identity set L = {ID 0 , ID 1 } to C. Phase This is the same as Game 1. Challenge: A selects challenge target's identity L* = {ID 2 , ID 3 , � � �, ID n } and plaintext to C. C randomly select a bit b 2 {0, 1}, formalizes the challenge ciphertext CT* with a new target identity list L* = {ID b , ID 2 , ID 3 , � � �, ID n } and sends CT* to A. Phase It is the same as Game 1. Guess: Finally, a guess bit b* 2 {0, 1} is returned by A. A wins this game if b* = b.Definition Our work satisfies the anonymity of chosen multiple identities and ciphertext attack security (ANON-CMID-CCA) if there are no adversaries having a non-negligible advantage to win Game 3.

p Computational Diffie-Hellman (CDH) problem [
23].Given aP, bP 2 G, compute abP element where a; b 2 Z * p are unknown and P denotes the generator of group G.

Table 1 .
Notations. https://doi.org/10.1371/journal.pone.0290666.t001 • Set secret-value: A receiver selects number d i 2 Z * p at random to act as secret value.It then computes X i = d i � P 1 and returns ID i k X i to the KGC;• Partial-private key: A receiver submits its identity ID i , master secret key s, public key X i and Pars to KGC.KGC selects a number o i 2 Z p * and computes W i = ω i � P 1 , h i = H(ID i ), y i = (ω i + h i � s) mod p, generates user's partial-private key z i = y i + H 1 (ID i , X i , W i ), KGC sends h i , z i and W i to user;• Set private and public key: Computes private key y i = z i − H 1 (ID i , X i , W i ) and public key Y i = y i � P 1 , the partial-private key is true where y i � P 1 = W i + h i � PK pub , otherwise, outputs ?. User's public key PK i = (X i , Y i ) and private key SK i = (d i , y i ).
the DDH problem and checks V¼ ?b 1 b 2 P 1 .B and A I to simulates the security game.Setup: B sets system public key PK pub = αP 1 = φ(αP 2 ) and PK T = β 1 P 1 , and then sends system parameter Pars = {P 1 , P 2 , G 1 , G 2 , p, e, H, H 1 , H 2 , H 3 , H 4 , H 5 , (E, D)} to A I .After receiving Pars, A I outputs the target identity {ID i } i=1,2,� � �,n .Phase 1: B sets H, {H i } i=1,2,� � �,5 and runs a series of queries, returns the results to A I and the query results are stores in lists H, H 1 , H 2 , H 3 , H 4 , H 5 .
bP 2 ) and adds (ID i , W i , ψ i , θ i ) to the list H. Finally, B returns W i to A I ; H 1 query: Inputs (ID i , X i , W i ), B runs H 1 query, checks whether (ID i , X i , W i , d i ) exists in the list H 1 .If it does, returns d i to A I .Otherwise, B randomly selects d i 2 Z * p to sends it to A I and stores (ID i , X i , W i , d i ) in the list H 1 ; H 2 query: A list L is created and initialized to empty.If the identity in the (ID i , x i ) query already exists in the list, B returns H 2 (ID i ) = x i .Otherwise, randomly selects an integer x i 2 Z p * sends to A I and adds (ID i , x i ) to the list L. Finally, it returns x i to A I ; H 3 query: The identity ID i is taken as input.B creates a tuple (ID i , k i ) in the list H 3 and initializes it to empty.If (ID i , k i ) exists in the list H 3 , it will be returned k i to A I .Otherwise, randomly selects k i 2 Z p and returns to the adversary and add it to the tuple (ID i , k i ) of the list H 3 ; H 4 query: Inputs the identity ID i , B creates (ID i , T i ) in the list H 4 and initializes to empty.If (ID i , T i ) exists in the list H 4 , it returns T i to A I .Otherwise, randomly selects an integer T i 2 G 1 and returns to A I and adds it to (ID i , T i ) of the list H 4 ; H 5 query: (M, ID i , X i , Y i , R) is taken as input.If (M, ID i , X i , Y i , R, h k ) exists in the list H 5 , B send h k to A I , otherwise, randomly selects h k 2 Z * p and sends it to A I and store (M, ID i , X i , Y i , R, h k ) in the list H 5 ; Key query: If (ID i , SK i , PK i , x i , z i ) exists in the list H i , keep tuple (ID i , SK i , PK i , x i , z i ).Otherwise, B responds as follows: exists in the list H i , B sends private key SK i to A I , otherwise, B runs key query, return tuple (ID i , SK i , PK i , x i , z i ) and sends SK i to A I .If tuple (ID i , SK i , PK i , w i , x i , z i ) exists in the list H i after receiving the request, B replaces PK i with public key PK 0 i , otherwise, B will be stored tuple (ID i , SK i , PK i , x i , z i ) in list H i .Signcryption query: If ID i 6 ¼ ID j , i = 1, 2, � � �,n, B runs the private key query, output SK s , ciphertext CT, and sends CT to A I , otherwise, B respond as follows:

Private key query: If
Thus, if A II breaks the proposed work, B is able to solve the DDH problem.Theorem 3. Define one-way functions H and {H i } i=1,2,� � �,5 .If the CDH problem in (G 1 , G 2 ) is hard, the scheme is secure against the SUF-CMID-CCA of A I =A II .If the challenge identity ID * i is received, B will sends PK pub = a � P 1 to A I , otherwise, randomly selects x i 2 Z * p and computes PK pub = x i � P 1 .the challenge identity ID * i is received, B return ?, otherwise, run private key query and sends x i 2 Z * p to A. Signcryption query: B runs the following steps on the identity:

:
abP and outputs αβP = r � X i − PK i , otherwise, outputs the terminator ?.Theorem 4. Define one-way functions H and {H i } i=1,2,� � �,5 .If the DBDH problem in (G 1 , G 2 ) is hard, our work is secure against the ANON-CMID-CCA of A I .Proof: Simulator B is created to solve DBDH problem in (G 1 , G 2 ).B interacts with A I as follows: The simulator sets system public key PK pub = aP 1 , sends system parameter Pars = {G 1 , G 2 , G T , p, e, f(), H, H 1 , H 2 , H 3 , H 4 , H 5 , (E, D)} to A I , A I outputs the target identity {ID i } i=1,2,� � �,n .Phase 1: A I executes a series of adaptive queries consistent with Theorem 1. Challenge: A I cannot run partial private key query on ID i 2 fS * 0 ; S * 1 g.Message M, two identities and public key sets with different lengths S * 0 ¼ ðID * 0 =X * 0 ; ID 2 =X 2 ; � � � ; ID l =X l Þ and S * 1 ¼ ðID * 1 =X * 1 ; ID 2 =X 2 ; � � � ; ID l =X l Þ are taken as inputs.B runs as follows: tÞ � PK T and C * 4 ¼ eðP 1 ; P 2 Þ I guesses b 0 , if b 0 = b, B outputs 1, otherwise, outputs 0. Analysis: Simulator B is indistinguishable from the scheme in the above game.When Z = e (P 1 , P 2 ) αβc , assuming that k* = c.C * 3 ¼ E K ðM b jjtÞ where K = H 3 (A) is a random element.Therefore, A I view M β as independent, and our work is secure against the ANON-CMID-CCA.Theorem 5.If the DDH problem in G 1 is hard, our proposed work is secure against the ANON-CMID-CCA of A II .Proof: Simulator B is created to solve the hard problems of DDH in G 1 , Let P 1 , aP 1 , bP 1 , W 2 G 1 , where a; b 2 Z * p are unknown, judge whether W = abP 1 .B and A II to simulates the security game.Simulator B is indistinguishable from the scheme in the above game.When W = abP 1 , assuming that r 1 = a.In addition to W is a random element of group G 1 , C * 3 ¼ E K ðM b jjtÞ where K = H 3 (A) is a random element.Therefore, A II view M β as independent, and our work is secure against the ANON-CMID-CCA.